Hi, David, Sounds good then.
Thanks, Jun On Tue, Jun 9, 2020 at 10:59 AM David Jacot <dja...@confluent.io> wrote: > Hi Jun, > > Both are already in the KIP, see "New Broker Configurations" chapter. I > think > that we need them in order to be able to define different burst for the new > quota. > > Best, > David > > On Tue, Jun 9, 2020 at 7:48 PM Jun Rao <j...@confluent.io> wrote: > > > Hi, David, > > > > Another thing. Should we add controller.quota.window.size.seconds and > > controller.quota.window.num > > or just reuse the existing quota.window.size.seconds and quota.window.num > > that are used for other types of quotas? > > > > Thanks, > > > > Jun > > > > On Tue, Jun 9, 2020 at 10:30 AM Jun Rao <j...@confluent.io> wrote: > > > > > Hi, David, > > > > > > Thanks for the KIP. The name QUOTA_VIOLATED sounds reasonable to me. +1 > > on > > > the KIP. > > > > > > Jun > > > > > > On Tue, Jun 9, 2020 at 5:07 AM David Jacot <dja...@confluent.io> > wrote: > > > > > >> Hi Colin, > > >> > > >> Thank you for your feedback. > > >> > > >> Jun has summarized the situation pretty well. Thanks Jun! I would like > > to > > >> complement it with the following points: > > >> > > >> 1. Indeed, when the quota is exceeded, the broker will reject the > topic > > >> creations, partition creations and topics deletions that are exceeding > > >> with the new QUOTA_VIOLATED error. The ThrottleTimeMs field will > > >> be populated accordingly to let the client know how long it must wait. > > >> > > >> 2. I do agree that we actually want a mechanism to apply back pressure > > >> to the clients. The KIP basically proposes a mechanism to control and > to > > >> limit the rate of operations before entering the controller. I think > > that > > >> it is > > >> similar to your thinking but is enforced based on a defined quota > > instead > > >> of relying on the number of pending items in the controller. > > >> > > >> 3. You mentioned an alternative idea in your comments that, if I > > >> understood > > >> correctly, would bound the queue to limit the overload and reject work > > if > > >> the > > >> queue is full. I have been thinking about this as well but I don't > think > > >> that it > > >> works well in our case. > > >> - The first reason is the one mentioned by Jun. We actually want to be > > >> able > > >> to limit specific clients (the misbehaving ones) in a multi-tenant > > >> environment. > > >> - The second reason is that, at least in our current implementation, > the > > >> length of > > >> the queue is not really a good characteristic to estimate the load. > > >> Coming back > > >> to your example of the CreateTopicsRequest. They create path in ZK for > > >> each > > >> newly created topics which trigger a ChangeTopic event in the > > controller. > > >> That > > >> single event could be for a single topic in some cases or for a > thousand > > >> topics > > >> in others. > > >> These two reasons aside, bounding the queue also introduces a knob > which > > >> requires some tuning and thus suffers from all the points you > mentioned > > as > > >> well, isn't it? The value may be true for one version but not for > > another. > > >> > > >> 4. Regarding the integration with KIP-500. The implementation of this > > KIP > > >> will span across the ApiLayer and the AdminManager. To be honest, we > > >> can influence the implementation to work best with what you have in > mind > > >> for the future controller. If you could shed some more light on the > > future > > >> internal architecture, I can take this into account during the > > >> implementation. > > >> > > >> 5. Regarding KIP-590. For the create topics request, create partitions > > >> request, > > >> and delete topics request, we are lucky enough to have directed all of > > >> them > > >> to > > >> the controller already so we are fine with doing the admission in the > > >> broker > > >> which hosts the controller. If we were to throttle more operations in > > the > > >> future, > > >> I believe that we can continue to do it centrally while leveraging the > > >> principal > > >> that is forwarded to account for the right tenant. The reason why I > > would > > >> like > > >> to keep it central is that we are talking about sparse (or bursty) > > >> workloads here > > >> so distributing the quota among all the brokers makes little sense. > > >> > > >> 6. Regarding the naming of the new error code. BUSY sounds too generic > > to > > >> me so I would rather prefer a specific error code. The main reason > being > > >> that > > >> we may be able to reuse it in the future for other quotas. That being > > >> said, > > >> we > > >> can find another name. QUOTA_EXHAUSTED? I don't feel too strongly > about > > >> the naming. I wonder what the others think about this. > > >> > > >> VoilĂ . I hope that I have addressed all your questions/points and I am > > >> sorry for > > >> the lengthy email. > > >> > > >> Regards, > > >> David > > >> > > >> > > >> On Tue, Jun 9, 2020 at 2:13 AM Colin McCabe <cmcc...@apache.org> > wrote: > > >> > > >> > On Mon, Jun 8, 2020, at 14:41, Jun Rao wrote: > > >> > > Hi, Colin, > > >> > > > > >> > > Thanks for the comment. You brought up several points. > > >> > > > > >> > > 1. Should we set up a per user quota? To me, it does seem we need > > some > > >> > sort > > >> > > of a quota. When the controller runs out of resources, ideally, we > > >> only > > >> > > want to penalize the bad behaving applications, instead of every > > >> > > application. To do that, we will need to know what each > application > > is > > >> > > entitled to and the per user quota is intended to capture that. > > >> > > > > >> > > 2. How easy is it to configure a quota? The following is how an > > admin > > >> > > typically sets up a quota in our existing systems. Pick a generous > > >> > default > > >> > > per user quota works for most applications. For the few resource > > >> > intensive > > >> > > applications, customize a higher quota for them. Reserve enough > > >> resources > > >> > > in anticipation that a single (or a few) application will exceed > the > > >> > quota > > >> > > at a given time. > > >> > > > > >> > > > >> > Hi Jun, > > >> > > > >> > Thanks for the response. > > >> > > > >> > Maybe I was too pessimistic about the ability of admins to > configure a > > >> > useful quota here. I do agree that it would be nice to have the > > >> ability to > > >> > set different quotas for different users, as you mentioned. > > >> > > > >> > > > > >> > > 3. How should the quota be defined? In the discussion thread, we > > >> debated > > >> > > between a usage based model vs a rate based model. Dave and Anna > > >> argued > > >> > for > > >> > > the rate based model mostly because it's simpler to implement. > > >> > > > > >> > > > >> > I'm trying to think more about how this integrates with our plans > for > > >> > KIP-500. When we get rid of ZK, we will have to handle this in the > > >> > controller itself, rather than in the AdminManager. That implies > > we'll > > >> > have to rewrite the code. Maybe this is worth it if we want this > > >> feature > > >> > now, though. > > >> > > > >> > Another wrinkle here is that as we discussed in KIP-590, controller > > >> > operations will land on a random broker first, and only then be > > >> forwarded > > >> > to the active controller. This implies that either admissions > control > > >> > should happen on all brokers (needing some kind of distributed quota > > >> > scheme), or be done on the controller after we've already done the > > work > > >> of > > >> > forwarding the message. The second approach might not be that bad, > > but > > >> it > > >> > would be nice to figure this out. > > >> > > > >> > > > > >> > > 4. If a quota is exceeded, how is that enforced? My understanding > of > > >> the > > >> > > KIP is that, if a quota is exceeded, the broker immediately sends > > back > > >> > > a QUOTA_VIOLATED error and a throttle time back to the client, and > > the > > >> > > client will wait for the throttle time before issuing the next > > >> request. > > >> > > This seems to be the same as the BUSY error code you mentioned. > > >> > > > > >> > > > >> > Yes, I agree, it sounds like we're thinking along the same lines. > > >> > However, rather than QUOTA_VIOLATED, how about naming the error code > > >> BUSY? > > >> > Then the error text could indicate the quota that we violated. This > > >> would > > >> > be more generally useful as an error code and also avoid being > > >> confusingly > > >> > similar to POLICY_VIOLATION. > > >> > > > >> > best, > > >> > Colin > > >> > > > >> > > > > >> > > I will let David chime in more on that. > > >> > > > > >> > > Thanks, > > >> > > > > >> > > Jun > > >> > > > > >> > > > > >> > > > > >> > > On Sun, Jun 7, 2020 at 2:30 PM Colin McCabe <cmcc...@apache.org> > > >> wrote: > > >> > > > > >> > > > Hi David, > > >> > > > > > >> > > > Thanks for the KIP. > > >> > > > > > >> > > > I thought about this for a while and I actually think this > > approach > > >> is > > >> > not > > >> > > > quite right. The problem that I see here is that using an > > >> explicitly > > >> > set > > >> > > > quota here requires careful tuning by the cluster operator. > Even > > >> > worse, > > >> > > > this tuning might be invalidated by changes in overall > conditions > > or > > >> > even > > >> > > > more efficient controller software. > > >> > > > > > >> > > > For example, if we empirically find that the controller can do > > 1000 > > >> > topics > > >> > > > in a minute (or whatever), this tuning might actually be wrong > if > > >> the > > >> > next > > >> > > > version of the software can do 2000 topics in a minute because > of > > >> > > > efficiency upgrades. Or, the broker that the controller is > > located > > >> on > > >> > > > might be experiencing heavy load from its non-controller > > operations, > > >> > and so > > >> > > > it can only do 500 topics in a minute during this period. > > >> > > > > > >> > > > So the system administrator gets a very obscure tunable (it's > not > > >> > clear to > > >> > > > a non-Kafka-developer what "controller mutations" are or why > they > > >> > should > > >> > > > care). And even worse, they will have to significantly > "sandbag" > > >> the > > >> > value > > >> > > > that they set it to, so that even under the heaviest load and > > oldest > > >> > > > deployed version of the software, the controller can still > > function. > > >> > Even > > >> > > > worse, this new quota adds a lot of complexity to the > controller. > > >> > > > > > >> > > > What we really want is backpressure when the controller is > > >> > overloaded. I > > >> > > > believe this is the alternative you discuss in "Rejected > > >> Alternatives" > > >> > > > under "Throttle the Execution instead of the Admission" Your > > reason > > >> > for > > >> > > > rejecting it is that the client error handling does not work > well > > in > > >> > this > > >> > > > case. But actually, this is an artifact of our current > > >> implementation, > > >> > > > rather than a fundamental issue with backpressure. > > >> > > > > > >> > > > Consider the example of a CreateTopicsRequest. The controller > > could > > >> > > > return a special error code if the load was too high, and take > the > > >> > create > > >> > > > topics event off the controller queue. Let's call that error > code > > >> > BUSY. > > >> > > > Additionally, the controller could immediately refuse new > events > > if > > >> > the > > >> > > > queue had reached its maximum length, and simply return BUSY for > > >> that > > >> > case > > >> > > > as well. > > >> > > > > > >> > > > Basically, the way we handle RPC timeouts in the controller > right > > >> now > > >> > is > > >> > > > not very good. As you know, we time out the RPC, so the client > > gets > > >> > > > TimeoutException, but then keep the event on the queue, so that > it > > >> > > > eventually gets executed! There's no reason why we have to do > > that. > > >> > We > > >> > > > could take the event off the queue if there is a timeout. This > > >> would > > >> > > > reduce load and mostly avoid the paradoxical situations you > > describe > > >> > > > (getting TopicExistsException for a CreateTopicsRequest retry, > > etc.) > > >> > > > > > >> > > > I say "mostly" because there are still cases where retries could > > go > > >> > astray > > >> > > > (for example if we execute the topic creation but a network > > problem > > >> > > > prevents the response from being sent to the client). But this > > >> would > > >> > still > > >> > > > be a very big improvement over what we have now. > > >> > > > > > >> > > > Sorry for commenting so late on this but I got distracted by > some > > >> other > > >> > > > things. I hope we can figure this one out-- I feel like there > is > > a > > >> > chance > > >> > > > to significantly simplify this. > > >> > > > > > >> > > > best, > > >> > > > Colin > > >> > > > > > >> > > > > > >> > > > On Fri, May 29, 2020, at 07:57, David Jacot wrote: > > >> > > > > Hi folks, > > >> > > > > > > >> > > > > I'd like to start the vote for KIP-599 which proposes a new > > quota > > >> to > > >> > > > > throttle create topic, create partition, and delete topics > > >> > operations to > > >> > > > > protect the Kafka controller: > > >> > > > > > > >> > > > > > >> > > > >> > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-599%3A+Throttle+Create+Topic%2C+Create+Partition+and+Delete+Topic+Operations > > >> > > > > > > >> > > > > Please, let me know what you think. > > >> > > > > > > >> > > > > Cheers, > > >> > > > > David > > >> > > > > > > >> > > > > > >> > > > > >> > > > >> > > > > > >
